Hir0
asked on
Reverse PROXY SBS201 Client Access
I don't feel comfortable exposing my SBS2011 Machine to the web even from behind a NAT'd edge firewall. Im considering configuring a DMZ'd reverse proxy for CAS (RWA, Pop/Imap, etc) and configuring a DMZ'd edge transport server (or IronMail) for SMTP.
Any suggestions or recommendations?
Any suggestions or recommendations?
ASKER
I guess I wasn't entirely clear. I want to impliments something like Mandiants Rproxy in the DMZ for the reverse proxy to SBS2011's "CAS" for RWA and an Edge Transport Server (Or IronMail) in the DMZ for SMTP. Your suggestion, putting the CAS in the DMZ, is not recommended nor supported.
I still belive my configuration will be more secure than exposing sbs2011 to the WAN via port 25 and 443. Here is a few reasons...
- Monitor and log traffic
- Firewall/Filtering between proxy and server
- A less vurnable separate network stack
I'm curious why you think this configuration is no better than simply exposing SBS2011. Please provide more details for me to consider.
I still belive my configuration will be more secure than exposing sbs2011 to the WAN via port 25 and 443. Here is a few reasons...
- Monitor and log traffic
- Firewall/Filtering between proxy and server
- A less vurnable separate network stack
I'm curious why you think this configuration is no better than simply exposing SBS2011. Please provide more details for me to consider.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
You make some really good points but you've missed the fundamental operation of a reverse proxy. The added security with a reverse proxy is that a session is terminated at the proxy and then a NEW session is started to the destination server. This is fundamentally different than NAT which just translates IP address in the IP header. I agree with you in regards to UTM appliances but they generally dont inspect packets deeper than 4 or 5 in the OSI model. A good reverse proxy will look at traffic all the way to layer 7. Also, as I pointed out the attack surface on a good hardened reverse proxy is smaller than a general OS. Common attack frameworks are usually targeted to general OS, and therfor useless.
I appreciate the input but I still think its worth the time to impliment an Rproxy. I guess I wasn't clear in my original request (apologies), but Im really looking for suggestions and recommendatons from people that have configured a reverse proxy with sbs2011.
I appreciate the input but I still think its worth the time to impliment an Rproxy. I guess I wasn't clear in my original request (apologies), but Im really looking for suggestions and recommendatons from people that have configured a reverse proxy with sbs2011.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I am all for securing a network. But it also becomes a matter of risk vs reward. And I also can't recommend any strategy that gives the APPEARANCE of security without actual benefit, which is all a straight reverse proxy would do.